A cyberattack earlier this year on JD Sports affected up to 10 million customers. This followed Moncler making the headlines at the beginning of 2022 after a ransomware attack was successful against its systems. The leaked data included information about employees, suppliers, business partners and customers.
Guess was also on the receiving end of a hack in the summer of 2021 and Chanel suffered a similar fate with its South Korean operation.
In the UK, when hacks occur the Information Commissioner’s Office (ICO) expects companies to deal with them proactively and ensure that serious breaches are resolved effectively. We set out how fashion companies can do this.
What do hackers want and how do they get it?
Fashion brands are a gold mine for data that can be exploited. Hackers target clients’ personal information; their financial information and their operations and systems. This is all readily available, especially when brands have online shops.
Hackers can do this through a data breach – which is a targeted attack to secure log ins, where they obtain information; ransomware – where access to files or systems are blocked until a ransom fee is paid; or denial of service attacks – where a system or server is flooded with targeted requests, preventing legitimate requests from being fulfilled.
What actions should you take before a breach?
Good defence is best when it comes to cyber-security. In order to protect your data and brand, it is important to carry out an assessment of the strengths and weaknesses of your current cyber-security framework.
A brand should look at:
- The organisational and technical solutions currently in place:
- Is there a dedicated leadership team who is monitoring cyber-security preparedness and responses?
- Do employees know what do in the event of an attack or breach?
- What software and hardware is vulnerable to attack?
- Identifying the assets within your company that are likely to be targeted by hackers.
- Auditing supply chains to ensure that your partners are on top of their own security measures. Cyber events with a partner/supplier could result in disruption to your own business and/or be used as a backdoor to hack your organisation.
- Cybersecurity insurance (if available).
- Training – both for all members of the organisation and regular mock cyber attacks to ensure your systems are capable with repelling and responding.
What actions should you take if a breach occurs?
The ICO will expect a brand to do the following if it finds itself the victim of a cyberattack.
- Carry out a data breach risk assessment – is there a risk that data subjects will be seriously affected by the breach?
- Inform individuals who have been affected by a high-risk data breach without delay.
- Inform the regulator as soon as practically possible and in any event within 72 hours.
When providing details to affected individuals, a brand needs to inform them, in clear language, of the nature of the breach and what personal data was affected. They should also be provided with details of the relevant contact point or the details of the brand’s data protection officer (DPO).
It is recommended that individuals are provided with information on how the brand will assist them going forward and any actions they can take to protect themselves. ICO guidance outlines that this may include: Forcing a password reset; advising individuals to use strong, unique passwords; and telling them to look out for phishing emails or fraudulent activity on their accounts.
If after a risk assessment, the brand has decided that a notification to the ICO is not necessary, it is still highly advisable that the company records information about the breach and actions taken in response. If the ICO decides that an investigation is necessary, the company may be asked to justify the decisions it made.
Adequate and appropriate handling of data breaches is crucial, not only to ensure that customer personal data is protected, but also to avoid the ire of the regulators. By way of example, in the US Shein was handed a USD1.9m fine by the State of New York, for its handling of a data breach that occurred in 2018. The UK’s ICO is likely to enforce comparable penalties where they consider an organisation’s response was not sufficient.
Reporting the data breach
If a report to the ICO is necessary, then it is important that the following information is captured:
- The approximate number of affected individuals
- How many personal data records were affected
- The name of the DPO or contact point details
- The effects of the breach
- Actions taken in response.
Take home points
If you find yourself on the receiving end of a cyberattack, it is important to be as prepared as possible. Planning in advance is ideal, and is likely to include contingency measures. However, as it may be difficult to plan for all eventualities, the following best practices will also limit what can be hacked:
- Do not store sensitive data in clear text – pseudonymise or encrypt
- Ensure access is on a strict basis
- Don’t hold onto incomplete or old data, whilst it may not be relevant to your business, it can expose the data subjects to malicious actions from hackers
- Ensure the company carries out appropriate security policy and regular cyber security training for staff
- Carry out regular information risk assessments
- Maintain a response and recovery plan
- Identify crucial assets that may be targeted
- Consider auditing your supply chain partners.
Authors
Follow us online
